Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/20/2017
11:00 AM
Cemal Dikmen
Cemal Dikmen
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Lessons From The Yahoo Breach

Your organization must address these blind spots to detect sophisticated attacks.

When an organization as established and trusted as Yahoo gets breached, it seems like there's no hope for the rest of us. And in many ways, there isn't.

Despite Yahoo's perimeter defenses, the company's network was still breached. Not once, but at least twice. This indicates that these attacks were very sophisticated and carried out by highly motivated and well-funded attackers. Although Yahoo's breaches demonstrate that it's virtually impossible to prevent every motivated attacker from getting past perimeter defenses and gaining access to a secure network, there are ways to detect breaches before massive exfiltration can occur.

When it comes to breach detection and response, most enterprises today still rely on sifting through logs from network appliances such as firewalls and web gateways. This includes performing correlation using security information and event management systems to figure out how the breaches occurred.

The Yahoo breach exposed three key blind spots that need to be addressed to detect sophisticated attacks. (Editors' Note: In the spirit of transparency, SS8, the author's company, helps organizations detect and protect against network breaches using some of the concepts described in this article.)

1. Lack of application, identity, device, and geolocation information. Tools like NetFlow can't distinguish between multiple exchanges of information in a traffic flow (for example, an email session), and at best can only provide a summary of the entire flow. They leave out valuable application-specific information such as To, CC, From, and Subject fields in an email, as well as the presence of any potential malicious attachments. In addition, certain obfuscated protocols such as Tor can be difficult to detect on a network, but the ability to identify their presence and investigate these connections is critical to network security.

2. Challenges tied to archiving and network history lookup. Although some tools can store network log data for long periods of time, it remains difficult to access that information quickly for the purpose of cyber investigations such as correlating potentially malicious network activity to an individual device or user. Meanwhile, packet recording tools can provide more granular detail into network data, but the economics of storing full packets over an extended period of time is often cost-prohibitive.

3. Lack of automated workflows for threat detection. The volume of new, constantly-generated threat information, combined with a shortage of skilled cybersecurity personnel, often leads to "log and alert fatigue." This is generally due to a lack of automation for correlating the latest threat intelligence, and tying it to actual events happening on the network. Currently, most cyber investigators still have to manually perform a series of complicated steps to generate useful forensic information from log reports and the limited history of full packet capture tools.

The Yahoo breach, like most advanced cyberattacks, was carried out over a long period of time, with attackers hiding their communications in the normal flow of network traffic. According to the latest Verizon Data Breach Investigations report, dwell time — that is, the length of time an attacker is in a system before being detected — is averaging more than 200 days. 

Perimeter defenses have to make point-in-time decisions to allow or block a specific communication. Therefore, it isn't possible for them to detect advanced and persistent cyberattacks carried out over long periods of time. Even though threats can breach the perimeter through a variety of attack vectors, most malicious activity can be still be detected in the network before data exfiltration — the ultimate goal of the attack — takes place.

If we want to prevent protracted infiltrations and exfiltrations, like the one experienced by Yahoo, we need to combine deeper network visibility, including the ability to rewind past activity with constantly updated threat intelligence, and automated workflows. This will allow us to discover indicators of compromise and devices of interest early in the breach cycle, which can be investigated using actual network history to pinpoint a compromise before massive data exfiltration takes place.

Prevention is the always the goal, but incident detection and fast response can save the day.

Related Content:

 

Dr. Cemal Dikmen is Chief Security Officer for SS8, which helps companies detect and protect against network breaches. He also works with the nation's leading telecommunications service providers as well as law enforcement and intelligence agencies on cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
thinkdifferently
50%
50%
thinkdifferently,
User Rank: Apprentice
1/23/2017 | 10:16:31 AM
Logs are not enough
Thank you for sharing this.  It's good to hear someone else preaching the same message. 

While logs are a valuable piece of the puzzle, they're limited by what the preventative controls they monitor can detect, and alone are not enough to identify advanced attacks. In fact, most successful attacks go undiscovered by logs alone. In addition, even when log-based SIEM systems are able to detect the faint signals of an attack, they are unable to piece them together to provide security analysts with the understanding to quickly respond to and disrupt the attack. Instead they overwhelm analysts with alerts that lack the context needed to take action. Security teams need to take a multifaceted and integrated approach to security in order to fully comprehend an attack, speed up response time when an incident occurs, and facilitate a return to business as usual.
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.